update(userspace/falco, cmake): updated libs to latest master.

Adapted API to sinsp::open API break, and simple consumer API break.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>

Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it>

CMakeLists.txt

@@ -114,6 +114,11 @@ set(DRIVER_NAME "falco")
 set(DRIVER_DEVICE_NAME "falco")
 set(DRIVERS_REPO "https://download.falco.org/driver")
 
+# If no path is provided, try to search the BPF probe in: `home/.falco/falco-bpf.o`
+# This is the same fallback that we had in the libraries: `SCAP_PROBE_BPF_FILEPATH`.
+set(FALCO_PROBE_BPF_FILEPATH ".${DRIVER_NAME}/${DRIVER_NAME}-bpf.o")
+add_definitions(-DFALCO_PROBE_BPF_FILEPATH="${FALCO_PROBE_BPF_FILEPATH}")
+
 if(NOT DEFINED FALCO_COMPONENT_NAME)
     set(FALCO_COMPONENT_NAME "${CMAKE_PROJECT_NAME}")
 endif()

cmake/modules/driver.cmake

@@ -26,8 +26,8 @@ else()
   # In case you want to test against another driver version (or branch, or commit) just pass the variable -
   # ie., `cmake -DDRIVER_VERSION=dev ..`
   if(NOT DRIVER_VERSION)
-    set(DRIVER_VERSION "6599e2efebce30a95f27739d655d53f0d5f686e4")
-    set(DRIVER_CHECKSUM "SHA256=7cd84fe8a41c25bba9cd7d5d86a87d2483658e367b885ddbd3037aa45404df04")
+    set(DRIVER_VERSION "ee7f45765ce02ddc33dc516c374d63df3653d0f7")
+    set(DRIVER_CHECKSUM "SHA256=33a974070208f9bfd15e216a6e9b1e93a11c7e4d1add0abc3ae3201ed45f0413")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

cmake/modules/falcosecurity-libs.cmake

@@ -27,8 +27,8 @@ else()
   # In case you want to test against another falcosecurity/libs version (or branch, or commit) just pass the variable -
   # ie., `cmake -DFALCOSECURITY_LIBS_VERSION=dev ..`
   if(NOT FALCOSECURITY_LIBS_VERSION)
-    set(FALCOSECURITY_LIBS_VERSION "6599e2efebce30a95f27739d655d53f0d5f686e4")
-    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=7cd84fe8a41c25bba9cd7d5d86a87d2483658e367b885ddbd3037aa45404df04")
+    set(FALCOSECURITY_LIBS_VERSION "ee7f45765ce02ddc33dc516c374d63df3653d0f7")
+    set(FALCOSECURITY_LIBS_CHECKSUM "SHA256=33a974070208f9bfd15e216a6e9b1e93a11c7e4d1add0abc3ae3201ed45f0413")
   endif()
 
   # cd /path/to/build && cmake /path/to/source

userspace/falco/app_actions/init_inspectors.cpp

@@ -20,7 +20,7 @@ limitations under the License.
 
 using namespace falco::app;
 
-static void init_syscall_inspector(
+void application::init_syscall_inspector(
 		std::shared_ptr<sinsp> inspector,
 		const falco::app::cmdline_options& opts)
 {
@@ -48,12 +48,11 @@ static void init_syscall_inspector(
 
 	if(!opts.all_events)
 	{
-		// Drop EF_DROP_SIMPLE_CONS kernel side
-		inspector->set_simple_consumer();
-		// Eventually, drop any EF_DROP_SIMPLE_CONS event
-		// that reached userspace (there are some events that are not syscall-based
-		// like signaldeliver, that have the EF_DROP_SIMPLE_CONS flag)
-		inspector->set_drop_event_flags(EF_DROP_SIMPLE_CONS);
+		m_state->ppm_sc_of_interest = inspector->enforce_simple_ppm_sc_set();
+		m_state->tp_of_interest = inspector->enforce_sinsp_state_tracepoints();
+		// We are not interested in sched_switch tracepoint,
+		// highly noisy and not useful for state/events enrichment.
+		m_state->tp_of_interest.erase(SCHED_SWITCH);
 	}
 
 	inspector->set_hostname_and_port_resolution_mode(false);

userspace/falco/app_actions/load_rules_files.cpp

@@ -39,7 +39,7 @@ void application::check_for_ignored_events()
 			continue;
 		}
 
-		if(!sinsp::simple_consumer_consider_evtnum(evtnum))
+		if(!simple_consumer_consider(etable[evtnum].flags, false))
 		{
 			std::string name = etable[evtnum].name;
 			if(warn_event_names.find(name) == warn_event_names.end())

userspace/falco/app_actions/open_inspector.cpp

@@ -22,13 +22,15 @@ limitations under the License.
 
 #include "application.h"
 
+#define FALCO_BPF_ENV_VARIABLE "FALCO_BPF_PROBE"
+
 using namespace falco::app;
 
 application::run_result application::open_offline_inspector()
 {
 	try
 	{
-		m_state->offline_inspector->open(m_options.trace_filename);
+		m_state->offline_inspector->open_savefile(m_options.trace_filename, 0);
 		falco_logger::log(LOG_INFO, "Reading system call events from file: " + m_options.trace_filename + "\n");
 		return run_result::ok();
 	}
@@ -46,13 +48,12 @@ application::run_result application::open_live_inspector(
 	{
 		if (source != falco_common::syscall_source)
 		{
-			for (const auto p: inspector->get_plugin_manager()->plugins())
+			for (const auto& p: inspector->get_plugin_manager()->plugins())
 			{
 				if (p->caps() & CAP_SOURCING && p->event_source() == source)
 				{
 					auto cfg = m_state->plugin_configs.at(p->name());
-					inspector->set_input_plugin(cfg->m_name, cfg->m_open_params);
-					inspector->open();
+					inspector->open_plugin(cfg->m_name, cfg->m_open_params);
 					return run_result::ok();
 				}
 			}
@@ -67,41 +68,51 @@ application::run_result application::open_live_inspector(
 			// Regardless of the implementation, the underlying method remains the same.
 			inspector->open_udig();
 		}
-		else if(m_options.gvisor_config != "")
+		else if(!m_options.gvisor_config.empty())
 		{
 			falco_logger::log(LOG_INFO, "Enabled event collection from gVisor. Configuration path: " + m_options.gvisor_config);
 			inspector->open_gvisor(m_options.gvisor_config, m_options.gvisor_root);
 		}
-		else
+		else if(getenv(FALCO_BPF_ENV_VARIABLE) != NULL) /* BPF engine. */
 		{
-			inspector->open();
-		}
-	}
-	catch (sinsp_exception &e)
+			const char *bpf_probe_path = std::getenv(FALCO_BPF_ENV_VARIABLE);
+			char full_path[PATH_MAX];
+			/* If the path is empty try to load the probe from the default path. */
+			if(strncmp(bpf_probe_path, "", 1) == 0)
 			{
-		// If syscall input source is enabled and not through userspace instrumentation
-		if (m_options.gvisor_config.empty() && !m_options.userspace)
+				const char *home = std::getenv("HOME");
+				if(!home)
+				{
+					return run_result::fatal("Cannot get the env variable 'HOME'");
+				}
+				snprintf(full_path, PATH_MAX, "%s/%s", home, FALCO_PROBE_BPF_FILEPATH);
+				bpf_probe_path = full_path;
+			}
+			inspector->open_bpf(2048, bpf_probe_path, m_state->ppm_sc_of_interest, m_state->tp_of_interest);
+			falco_logger::log(LOG_INFO, "Starting capture with BPF probe. BPF probe path: " + std::string(bpf_probe_path));
+		}
+		else /* Kernel module (default). */
+		{
+			try
+			{
+				inspector->open_kmod(2048, m_state->ppm_sc_of_interest, m_state->tp_of_interest);
+				falco_logger::log(LOG_INFO, "Starting capture with Kernel module.");
+			}
+			catch(sinsp_exception &e)
 			{
 				// Try to insert the Falco kernel module
 				if(system("modprobe " DRIVER_NAME " > /dev/null 2> /dev/null"))
 				{
 					falco_logger::log(LOG_ERR, "Unable to load the driver.\n");
 				}
-			inspector->open();
+				inspector->open_kmod(2048, m_state->ppm_sc_of_interest, m_state->tp_of_interest);
 			}
-		else
+		}
+	}
+	catch (sinsp_exception &e)
 	{
 		return run_result::fatal(e.what());
 	}
-	}
-
-	/// TODO: we can add a method to the inspector that tells us what 
-	/// is the underline engine used. Right now we print something only 
-	/// in case of BPF engine
-	if (inspector->is_bpf_enabled())
-	{
-		falco_logger::log(LOG_INFO, "Falco is using the BPF probe\n");	
-	}
 
 	// This must be done after the open
 	if (!m_options.all_events)

userspace/falco/app_actions/print_ignored_events.cpp

@@ -28,7 +28,7 @@ void application::print_all_ignored_events()
 	std::set<string> ignored_event_names;
 	for(uint32_t j = 0; j < PPM_EVENT_MAX; j++)
 	{
-		if(!sinsp::simple_consumer_consider_evtnum(j))
+		if(!simple_consumer_consider(etable[j].flags))
 		{
 			std::string name = etable[j].name;
 			// Ignore event names NA*
@@ -39,9 +39,10 @@ void application::print_all_ignored_events()
 		}
 	}
 
+	auto simple_set = inspector->enforce_simple_ppm_sc_set();
 	for(uint32_t j = 0; j < PPM_SC_MAX; j++)
 	{
-		if(!sinsp::simple_consumer_consider_syscallid(j))
+		if(simple_set.find(j) == simple_set.end())
 		{
 			std::string name = stable[j].name;
 			// Ignore event names NA*
@@ -53,7 +54,7 @@ void application::print_all_ignored_events()
 	}
 
 	printf("Ignored Event(s):");
-	for(auto it : ignored_event_names)
+	for(const auto& it : ignored_event_names)
 	{
 		printf(" %s", it.c_str());
 	}

userspace/falco/app_actions/process_events.cpp

@@ -189,7 +189,7 @@ application::run_result application::do_inspect(
 			return run_result::fatal("Drop manager internal error");
 		}
 
-		if(!ev->simple_consumer_consider() && !m_options.all_events)
+		if (!(simple_consumer_consider(ev->get_info_flags()) || m_options.all_events))
 		{
 			continue;
 		}

userspace/falco/application.cpp

@@ -44,7 +44,9 @@ application::state::state()
 	  loaded_sources(),
 	  enabled_sources(),
 	  source_infos(),
-	  plugin_configs()
+	  plugin_configs(),
+	  ppm_sc_of_interest(),
+	  tp_of_interest()
 {
 	config = std::make_shared<falco_configuration>();
 	engine = std::make_shared<falco_engine>();

userspace/falco/application.h

@@ -110,6 +110,12 @@ private:
 
 		std::string cmdline;
 
+		// Set of syscalls we want the driver to capture
+		std::unordered_set<uint32_t> ppm_sc_of_interest;
+
+		// Set of tracepoints we want the driver to capture
+		std::unordered_set<uint32_t> tp_of_interest;
+
 #ifndef MINIMAL_BUILD
 		falco::grpc::server grpc_server;
 		std::thread grpc_server_thread;
@@ -268,6 +274,7 @@ private:
 	run_result open_offline_inspector();
 	run_result open_live_inspector(std::shared_ptr<sinsp> inspector, const std::string& source);
 	void add_source_to_engine(const std::string& src);
+	void init_syscall_inspector(std::shared_ptr<sinsp> inspector, const falco::app::cmdline_options& opts);
 	run_result do_inspect(
 		std::shared_ptr<sinsp> inspector,
 		const std::string& source, // an empty source represents capture mode
@@ -292,6 +299,16 @@ private:
 		return !m_options.gvisor_config.empty();
 	}
 
+	bool simple_consumer_consider(int flags, bool old_version = true) const
+	{
+		int ignored_flagset = EF_SKIPPARSERESET | EF_UNUSED;
+		if (old_version)
+		{
+			ignored_flagset |= EF_OLD_VERSION;
+		}
+		return !(flags & ignored_flagset);
+	}
+
 	std::unique_ptr<state> m_state;
 	cmdline_options m_options;
 	bool m_initialized;